Ubuntu
postfix package

postfix is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl

Bug #1591706 reported by AlainKnaff
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

According to testssl postfix is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl, and there seems to be no obvious way to change this using configuration:

testssl@sendar:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
 Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat

1) root@sendar:/home/lilux/alain# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@sendar:/home/lilux/alain# apt-cache policy postfix
postfix:
  Installed: 2.11.0-1ubuntu1
  Candidate: 2.11.0-1ubuntu1
  Version table:
 *** 2.11.0-1ubuntu1 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.11.0-1 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

3) What I expected to happen

Postfix should either be resilient to this out of the box, or there should be a config option to make it so

4) What happened instead

Postfix is vulnerable to this condition, without an obvious way to change this using configuration.

Robie Basak (racb)
information type: Public → Public Security
Rolf Leggewie (r0lf)
Changed in postfix (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Dominic Raferd (dominic-timedicer) wrote :

The same vulnerability is reported for Postfix 3.1.0 under Ubuntu 16.04.1. But I am not sure this is a real vulnerability or merely an overly-cautious report. Some info at http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html.

Marc Deslauriers (mdeslaur)
Changed in postfix (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This item seems hard to be really actionable looking at how long nothing happened. So I was looking around to other examples.

It might be overly cautious as mentioned but also just a false positive like [1].
It is quite possible that this was the reason this showed up.

[1]: https://github.com/drwetter/testssl.sh/issues/484

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I can't expect that from anybody, but if someone can test with latest master against Trusty and Xenial that would be great.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Based on the report against the test tool, unless this issue is validated with the current version of the tool released in May 2017, it's a false positive. It's not clear there's any kind of bug at all.

Changed in postfix (Ubuntu):
importance: Critical → Undecided
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.